IDM Co-existence Question

Is it possible to have two separate IDM environments using the same tree on a temporary basis for a staggered migration? Something like server A is running IDM 4.02 and connecting to tree A (running eDirectory 8.8.8). Server B is running IDM 4.7 and connecting to tree A (running 9.x). Can we migrate drivers from 4.02 to 4.7 one by one and would this be supported?

Re: IDM Co-existence Question

TSchmauch,>> Is it possible to have two separate IDM environments using the same tree> on a temporary basis for a staggered migration? Something like server A> is running IDM 4.02 and connecting to tree A (running eDirectory 8.8.8).> Server B is running IDM 4.7 and connecting to tree A (running 9.x).> Can we migrate drivers from 4.02 to 4.7 one by one and would this be> supported?>> Thank you> Tom>>I'm not sure you can go directly from 4.02 to 4.7, but this approachshould work for going from 4.02 to 4.6.3. I can say that because I justdid it. I can provide high-level step-by-step instructions if you needthem.

Re: IDM Co-existence Question

Just to be clear, there aren't "two separate IDM environments" in myapproach. Rather, I added a new IDM 4.6.3 server to my existing driverset, copied the server-specific data, then stopped the driver running onthe old server and started it on the new one.

Re: IDM Co-existence Question

6423241 <dougperiodblack@osumcperiod.edu> wrote:> TSchmauch,>>>> Is it possible to have two separate IDM environments using the same tree>> on a temporary basis for a staggered migration? Something like server A>> is running IDM 4.02 and connecting to tree A (running eDirectory 8.8.8).>> Server B is running IDM 4.7 and connecting to tree A (running 9.x).>> Can we migrate drivers from 4.02 to 4.7 one by one and would this be>> supported?>>>> Thank you>> Tom>>>>> I'm not sure you can go directly from 4.02 to 4.7, but this approach> should work for going from 4.02 to 4.6.3. I can say that because I just> did it. I can provide high-level step-by-step instructions if you need> them.>

you can definitely use a migrate to new server approach to go from 4.0.2 to4.7. without going through interim 4.6.x stage.

I have done that recently.

The wrinkles come with upgrading specific drivers especially userapplication, but even that can be solved.

Re: IDM Co-existence Question

On 4/2/2019 7:54 PM, TSchmauch wrote:>> Thank you for the help! My thought was to create 2 new driver sets to> get the critical drivers over to 4.7, then for the less critical ones> migrate the existing to 4.7.

Do not make a new driver set. Just have the 4.02 annd 4.7 servers in thesame driver set and stop each driver on one, restart on th eother (aftercopying server specific info).

Re: IDM Co-existence Question

6423241;2497665 wrote:TSchmauch,>> Is it possible to have two separate IDM environments using the same tree> on a temporary basis for a staggered migration? Something like server A> is running IDM 4.02 and connecting to tree A (running eDirectory 8.8.8).> Server B is running IDM 4.7 and connecting to tree A (running 9.x).> Can we migrate drivers from 4.02 to 4.7 one by one and would this be> supported?>> Thank you> Tom>>I'm not sure you can go directly from 4.02 to 4.7, but this approachshould work for going from 4.02 to 4.6.3. I can say that because I justdid it. I can provide high-level step-by-step instructions if you needthem.

If you can send high level instructions, that would be very helpful. Thank you!

Re: IDM Co-existence Question

TSchmauch,>> If you can send high level instructions, that would be very helpful.> Thank you!>

Okay, here's the process in a nutshell:

1. Install IDM vault & engine software on new server and add it to the tree

2. Add new server to the existing driver seta. In Designer, right-click on the Identity Vault object and select'New > Server'. Enter the DN of the new server (or browse to it) andclick OK.b. right-click on the driver set object and select Properties. Click'Server List', then move the new server from the 'Available Servers'column to the 'Selected Servers' column. Click Apply

3. Copy settings to the new servera. Right-click on the driver you are migratingb. Select Copy > Server-Specific settingsc. Select the source (old) server, then check the box that correspondsto the target driver & serverd. Select the data you want to copy (GCVs, named passwords,authentication information, etc) and click OKNB: If memory serves, you can't copy passwords as part of this processunless they are named passwords. If they are not, you may have to resetdriver object, application, and/or remote loader passwords later in theprocess

4. Stop the driver, then deploy your new configuration. Double-check tomake sure the driver is stopped and disabled on the old server, thenstart it on the new server.

Re: IDM Co-existence Question

On 4/2/2019 4:24 PM, TSchmauch wrote:>> Is it possible to have two separate IDM environments using the same tree> on a temporary basis for a staggered migration? Something like server A> is running IDM 4.02 and connecting to tree A (running eDirectory 8.8.8).> Server B is running IDM 4.7 and connecting to tree A (running 9.x).> Can we migrate drivers from 4.02 to 4.7 one by one and would this be> supported?

Re: IDM Co-existence Question

On 02.04.19 22:24, TSchmauch wrote:>> Is it possible to have two separate IDM environments using the same tree> on a temporary basis for a staggered migration? Something like server A> is running IDM 4.02 and connecting to tree A (running eDirectory 8.8.8).> Server B is running IDM 4.7 and connecting to tree A (running 9.x).> Can we migrate drivers from 4.02 to 4.7 one by one and would this be> supported?>> Thank you> Tom>>

To my understanding, you cannot officially go directly from 4.0.2 to4.7. You need 4.5.6 or 4.6.x

The documentation for 4.6 spells out that you need 4.5 if you come from4.0.2.

Re: IDM Co-existence Question

On 4/3/2019 5:23 AM, Casper Pedersen wrote:> On 02.04.19 22:24, TSchmauch wrote:>>>> Is it possible to have two separate IDM environments using the same tree>> on a temporary basis for a staggered migration?Â Something like server A>> is running IDM 4.02 and connecting to tree A (running eDirectory 8.8.8).>> Server B is running IDM 4.7 and connecting to tree A (running 9.x).>> Can we migrate drivers from 4.02 to 4.7 one by one and would this be>> supported?>>>> Thank you>> Tom>>>>>> To my understanding, you cannot officially go directly from 4.0.2 to> 4.7. You need 4.5.6 or 4.6.x>> The documentation for 4.6 spells out that you need 4.5 if you come from> 4.0.2.>> The easiest is 4.0.2 -> 4.5.6 -> 4.7>> Documentation:> https://www.netiq.com/documentation/identity-manager-47/setup_linux/data/supported-upgrade-paths.html

Re: IDM Co-existence Question

On 03.04.19 15:40, Geoffrey Carman wrote:> On 4/3/2019 5:23 AM, Casper Pedersen wrote:>> On 02.04.19 22:24, TSchmauch wrote:>>>>>> Is it possible to have two separate IDM environments using the same tree>>> on a temporary basis for a staggered migration?Â Something like server A>>> is running IDM 4.02 and connecting to tree A (running eDirectory 8.8.8).>>> Server B is running IDM 4.7 and connecting to tree A (running 9.x).>>> Can we migrate drivers from 4.02 to 4.7 one by one and would this be>>> supported?>>>>>> Thank you>>> Tom>>>>>>>>>> To my understanding, you cannot officially go directly from 4.0.2 to >> 4.7. You need 4.5.6 or 4.6.x>>>> The documentation for 4.6 spells out that you need 4.5 if you come >> from 4.0.2.>>>> The easiest is 4.0.2 -> 4.5.6 -> 4.7>>>> Documentation: >> https://www.netiq.com/documentation/identity-manager-47/setup_linux/data/supported-upgrade-paths.html> > > Is that really an engine issue or just a UA issue?>

Taking my hat off ...

Possibly more an UA issue than engine. You need to upgrade the DB schema.

Re: IDM Co-existence Question

I think NetIQ does not support upgrade/migration from 4.02 to 4.7 because they did not tried it, but I confirm I did it without any problem:1) Add new servers with IDM 4.7 in the tree2) Migrate you drivers one by one from IDM 4.02 servers to IDM 4.7 servers (use Migrate option in Designer to copy config to new servers and then deploy the driver)3) Upgrade the Remote loader if any4) Optionally you can upgrade the drivers configuration/package, but it's a lot of work.5) If you have RBPM (AE edition) you must upgrade your drivers configuration (Roles, UserApp)

Re: IDM Co-existence Question

On 4/9/2019 10:24 AM, sma wrote:>> I think NetIQ does not support upgrade/migration from 4.02 to 4.7> because they did not tried it, but I confirm I did it without any> problem:> 1) Add new servers with IDM 4.7 in the tree> 2) Migrate you drivers one by one from IDM 4.02 servers to IDM 4.7> servers (use Migrate option in Designer to copy config to new servers> and then deploy the driver)> 3) Upgrade the Remote loader if any> 4) Optionally you can upgrade the drivers configuration/package, but> it's a lot of work.> 5) If you have RBPM (AE edition) you must upgrade your drivers> configuration (Roles, UserApp)

I really think that the conversation about upgrading and requiring apass through a particular version (4.5.3 or 4.6.x) to get to the latestis really about the User App/Identity Apps. And there it is really aboutkeeping the database intact.

We would be far better off if we could export the actual DB data, throwaway the old one, simply reinstall a new one and put back what we want.

the engine itself very rarely cares about upgrades and the path you tookit through.

Biggest compatability issues are things like Remote Loaders, needing aJVM that matches the engine JVM so SSL/TLS/Ciphers all match. Easy to fix.

Also, the change from JDBM to MapDB to ZoomDB means you need to makesure to update shims as well sometimes.

So always distinguish between engine and Identity Apps.

Also, there are platform support changes (Sometimes you need a new OS torun the latest eDir which is needed by the latest IDM...)

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.